Highlighted

Problem integrating Google reCaptcha v2 into a simple form

Explorer ,
Jun 08, 2017

Copy link to clipboard

Copied

I am at my wits' end attempting to integrate Google's recaptcha v2 with a simple HTML form. I hope someone can help.

In the <head> of the form page I have

    <script src="https://www.google.com/recaptcha/api.js" async defer></script>

as directed by Google.

Within the form I have

    <div class="g-recaptcha" data-sitekey="xxxxxxxxxxx"></div>

where xxxxxxxxxxx is the sitekey provided by Google. When the form is displayed, this is properly creating the recaptcha widget.

On the target page that processes the form submission, I have this:

    <cfset form.RecaptchaResponse = "">

    <cfif StructKeyExists(form, "g-recaptcha-response")>

           <cfset form.RecaptchaResponse = form["g-recaptcha-response"]>

    </cfif>

    <cfhttp url="https://www.google.com/recaptcha/api/siteverify" method="post" result="captchaResult">

      <cfhttpparam type="formfield" name="secret" value="zzzzzzzz">

      <cfhttpparam type="formfield" name="response" value="#form.RecaptchaResponse#">

      <cfhttpparam type="formfield" name="remoteip" value="#cgi.remote_addr#">

    </cfhttp>

    <cfset result = "#deserializeJSON(StructFind(variables.captchaResult, 'FileContent'))#">

    <cfif result.success is "false">

        <cflocation addtoken="no" URL="/">

    </cfif>

     ...start processing the submission.

where zzzzzzzz is the secret key provided by Google.

First I intentionally submit the form without responding to the captcha. I dump the variable captchaResult (a structure). Its 'FileContent' key is a JSON string, and in that string, 'Success' is 'false'. This submission redirects to the site's home page -- exactly as desired.

Next I submit the form correctly, including responding to the captcha. Dumping captchaResult and then aborting, I see that 'Success' is 'true'. In other words, Google is definitely passing this submission.

So now I reload everything and resubmit correctly, including responding to the captcha. ColdFusion replies with this on my target page:

   We're sorry...

    Element G is undefined in FORM.

    The error occurred on line 1.

What the #$% is going on?? Any suggestions will be gratefully and humbly accepted.

Message was edited by: Jordan Backler Forgot to include that I am using CF 10

Views

2.6K

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

Problem integrating Google reCaptcha v2 into a simple form

Explorer ,
Jun 08, 2017

Copy link to clipboard

Copied

I am at my wits' end attempting to integrate Google's recaptcha v2 with a simple HTML form. I hope someone can help.

In the <head> of the form page I have

    <script src="https://www.google.com/recaptcha/api.js" async defer></script>

as directed by Google.

Within the form I have

    <div class="g-recaptcha" data-sitekey="xxxxxxxxxxx"></div>

where xxxxxxxxxxx is the sitekey provided by Google. When the form is displayed, this is properly creating the recaptcha widget.

On the target page that processes the form submission, I have this:

    <cfset form.RecaptchaResponse = "">

    <cfif StructKeyExists(form, "g-recaptcha-response")>

           <cfset form.RecaptchaResponse = form["g-recaptcha-response"]>

    </cfif>

    <cfhttp url="https://www.google.com/recaptcha/api/siteverify" method="post" result="captchaResult">

      <cfhttpparam type="formfield" name="secret" value="zzzzzzzz">

      <cfhttpparam type="formfield" name="response" value="#form.RecaptchaResponse#">

      <cfhttpparam type="formfield" name="remoteip" value="#cgi.remote_addr#">

    </cfhttp>

    <cfset result = "#deserializeJSON(StructFind(variables.captchaResult, 'FileContent'))#">

    <cfif result.success is "false">

        <cflocation addtoken="no" URL="/">

    </cfif>

     ...start processing the submission.

where zzzzzzzz is the secret key provided by Google.

First I intentionally submit the form without responding to the captcha. I dump the variable captchaResult (a structure). Its 'FileContent' key is a JSON string, and in that string, 'Success' is 'false'. This submission redirects to the site's home page -- exactly as desired.

Next I submit the form correctly, including responding to the captcha. Dumping captchaResult and then aborting, I see that 'Success' is 'true'. In other words, Google is definitely passing this submission.

So now I reload everything and resubmit correctly, including responding to the captcha. ColdFusion replies with this on my target page:

   We're sorry...

    Element G is undefined in FORM.

    The error occurred on line 1.

What the #$% is going on?? Any suggestions will be gratefully and humbly accepted.

Message was edited by: Jordan Backler Forgot to include that I am using CF 10

Views

2.6K

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Jun 08, 2017 0
Advocate ,
Jun 08, 2017

Copy link to clipboard

Copied

I've used this recaptcha API and I think I used it almost as-is from the google sample. The form field name returned from the client to me as named g-recaptcha-response. Because of the strange field name, you have to reference it as #FORM['g-recaptcha-response']# so:

    <cfhttp url="https://www.google.com/recaptcha/api/siteverify" method="post" result="captchaResult">

      <cfhttpparam type="formfield" name="secret" value="zzzzzzzz">

      <cfhttpparam type="formfield" name="response" value="#FORM['g-recaptcha-response']#">

      <cfhttpparam type="formfield" name="remoteip" value="#cgi.remote_addr#">

    </cfhttp>

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Jun 08, 2017 0
Explorer ,
Jun 08, 2017

Copy link to clipboard

Copied

If you look in the code above the <cfhttp> call, you'll see that I'm doing just that. Just to make sure, I altered the code to do it explicitly, exactly as you show in your response. Got the same error as before.

In my target page, following the call to <cfhttp>, I did a <cfdump var="#variables.captchaResult#">, followed by <cfdump var="#form#'>, followed by <cfabort>. The form dump returned a structure. One key of that structure is FieldNames. Its value is a list of all the form fields, including 'g-recaptcha-response'. Another key is 'g-recaptcha-response', and its value is some long, horrendous combination of letters and numbers. This latter is the value of #form['g-recaptcha-response']#. So I'm certainly passing that to Google in the <cfhttp>. The dump of

{ "success": true, "challenge_ts": "2017-06-08T20:06:07Z", "hostname": "xxxxxxxxxxxxxx" }

which shows that Google responded properly to the request.

But after that, everything seems to fall apart. ColdFusion persists in looking for form.G. This seems like a bug. Am I missing something?

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Jun 08, 2017 0
New Here ,
Aug 30, 2018

Copy link to clipboard

Copied

I had exactly the same problem. It turned out to be the SQLinjection script I was also using on the form. That script loops through the FORM collection and looks for suspicious content using an evaluate(var) tag. The evaluate tag doesn't seem to like variable names containing dashes (i.e. form.g-recaptcha-response) so it was throwing the error Element G is undefined in FORM.

Solution for me was to modify my SQLinjection script to ignore the G-recaptcha-response form variable.

<cfif var neq "G-RECAPTCHA-RESPONSE">

    <CFIF IsSimpleValue(Evaluate(var)) AND REFindNoCase(SQL_Words, Evaluate(var)) NEQ 0><CFTHROW TYPE="SQLAttack" MESSAGE="Invalid Form value passed."></CFIF>

</cfif>

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Aug 30, 2018 0
Adobe Community Professional ,
Sep 04, 2018

Copy link to clipboard

Copied

ColdFusion generally expects variable names to consist of nothing but letters, numbers and underscores. So, this is not really an unexpected problem.

That said, I would recommend you simply use CFQUERYPARAM to prevent SQL injection attacks, and use CFTRY/CFCATCH and optionally CFTHROW to catch CFQUERYPARAM errors, instead of trying to filter them on your own. It is a much more efficient approach.

Dave Watts, Fig Leaf Software

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 04, 2018 0
Enthusiast ,
Sep 04, 2018

Copy link to clipboard

Copied

ISLMEDIA​ - if you are using Evaluate to check for a SQL Injection problem then you are trading one security issue for another. When you call Evaluate it can dynamically evaluate (execute) code.

Instead of using evaluate, use bracket notation, eg form["G-RECAPTCHA-RESPONSE"] or form[varName], etc.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 04, 2018 0